CVE-2022-21221: 
vulnerability analysis and mitigation

The vulnerability (CVE-2022-21221) affects the github.com/valyala/fasthttp package versions before 1.34.0. This security issue was discovered on February 21, 2022, and publicly disclosed on March 17, 2022. The vulnerability allows Directory Traversal attacks via the ServeFile function due to improper sanitization, specifically affecting Windows users. The issue can be exploited by using a backslash (%5c) character in the path (NVD, Snyk).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). It received a CVSS v3.1 base score of 7.5 (HIGH) from NVD with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, while Snyk assessed it at 5.9 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue stems from improper path sanitization in the ServeFile function, which fails to properly handle backslash characters in file paths on Windows systems (NVD).

The vulnerability can lead to unauthorized access to files and directories stored outside the intended folder through Directory Traversal attacks. On affected Windows systems, attackers can potentially access arbitrary files and directories stored on the file system, including sensitive application source code, configuration files, and other critical system files (Snyk).

The recommended mitigation is to upgrade github.com/valyala/fasthttp to version 1.34.0 or higher, which includes the security fix. The fix involves improved path normalization for Windows systems and additional security checks in the ServeFile function. For users unable to upgrade immediately, it is strongly recommended not to pass any user-supplied paths to the ServeFile function (GitHub Release, GitHub Commit).